[Xymon] XyMon client binaries default security is bad
Andrey Chervonets
a.chervonets at cominder.eu
Sat Mar 2 09:51:06 CET 2013
Thanks everyone participated for interesting discussion!
Yes, securing client-server communication may be a problem.
I see just 2 quite simple things, that will eliminate most of issues
a) limit list of acceptable connections by IP at OS level (or may be
XyMon may do this too?!)
b) use ssh tunnels between client and Server - it was already described
in XyMon manuals or Wiki
All other cases when someone will try to send report "on behalf of" real
client - are more complicated and require some networking skills and
special reasons.
My concern regarding read and execute permission to everyone on client
host - was just prevent other then xymon users to try and play with
xymon tools.
If anyone see it can execute anything - it can try to do something just
for interest, for example to send "drop .." request",
just to test System security and sysadmin ability to track exceptions.
I think this can be easy fixed, for example with 1 find execution after
installation done:
find client/ -exec chmod o-rwx {} \;
or just:
find client/bin -exec chmod o-rwx {} \; # if someone see others
should see some output generated.
Best regards,
Andrey Chervonets
----------------------
CoMinder SIA.
http://www.cominder.eu/
Mobile: +371 26517848
Fax: +371 66066346
More information about the Xymon
mailing list